CVE-2026-33644 Overview
CVE-2026-33644 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability in Lychee, the free, open-source photo-management tool. The vulnerability exists in the PhotoUrlRule.php file where the SSRF protection mechanism can be circumvented using DNS rebinding techniques. The IP validation check implemented at lines 86-89 only activates when the hostname is provided as an IP address directly. When a domain name is used instead, the filter_var($host, FILTER_VALIDATE_IP) function returns false, causing the entire security check to be skipped entirely.
Critical Impact
Attackers with authenticated access can bypass SSRF protections using DNS rebinding, potentially allowing access to internal network resources and services that should be protected from external requests.
Affected Products
- Lychee Photo Management prior to version 7.5.2
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33644 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33644
Vulnerability Analysis
This vulnerability is classified under CWE-918 (Server-Side Request Forgery). The flaw exists in how Lychee validates URLs submitted for photo imports. The application attempts to prevent SSRF attacks by checking if a provided URL points to internal/private IP addresses. However, this protection is fundamentally flawed because it only performs the IP range check when the hostname portion of the URL is already in IP address format.
When an attacker supplies a URL with a domain name (e.g., http://attacker-controlled-domain.com/image.jpg), the filter_var($host, FILTER_VALIDATE_IP) call returns false since the hostname is not a valid IP address format. This causes the subsequent IP range validation logic to be completely bypassed. An attacker can then leverage DNS rebinding—a technique where a domain initially resolves to a safe external IP, passes any initial checks, but then resolves to an internal IP (like 127.0.0.1 or 192.168.x.x) when the actual request is made.
Root Cause
The root cause is an incomplete input validation implementation in PhotoUrlRule.php. The developers assumed that checking IP addresses against blocklisted ranges would be sufficient SSRF protection. However, they failed to account for the scenario where hostnames are provided as domain names rather than IP addresses. The conditional logic structure means that domain-based URLs completely skip the IP validation path, leaving the application vulnerable to DNS rebinding attacks where the DNS resolution occurs after the validation check.
Attack Vector
The attack vector is network-based and requires authentication (low privileges). An attacker can exploit this vulnerability by:
- Setting up a DNS server that responds with alternating IP addresses (DNS rebinding)
- Creating a malicious URL pointing to the attacker-controlled domain
- Submitting this URL through Lychee's photo import functionality
- The domain initially resolves to an external IP, bypassing validation
- During the actual fetch request, DNS resolves to an internal IP address
- Lychee fetches resources from the internal network on behalf of the attacker
The following patch was implemented to address the DNS rebinding vulnerability:
use App\Repositories\ConfigManager;
use Illuminate\Contracts\Validation\ValidationRule;
+use Safe\Exceptions\NetworkException;
use Safe\Exceptions\UrlException;
+use function Safe\inet_pton;
use function Safe\parse_url;
final class PhotoUrlRule implements ValidationRule
{
+ /**
+ * @param ConfigManager $config_manager
+ * @param \Closure $dns_get_record defaulted to dns_get_record(string $hostname, int $type = ?, array &$authoritative_name_servers = ?, array &$additional_records = ?, bool $raw = ?): array|false
+ *
+ * @return void
+ */
public function __construct(
private ConfigManager $config_manager,
+ private \Closure|null $dns_get_record = null,
) {
+ $this->dns_get_record = $dns_get_record ?? \Closure::fromCallable('dns_get_record');
}
/**
Source: GitHub Commit Update
Detection Methods for CVE-2026-33644
Indicators of Compromise
- Unusual outbound requests from the Lychee server to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Photo import requests using suspicious or recently registered domain names
- DNS query patterns showing rapid TTL changes or alternating IP resolutions for the same domain
- Web server logs showing photo URL imports from domains that resolve to private IP addresses
Detection Strategies
- Monitor DNS resolution logs for domains that resolve to both external and internal IP addresses in short time windows
- Implement application-level logging for all photo import URL requests and their resolved IP addresses
- Deploy network monitoring to detect outbound HTTP requests from the Lychee server to internal services
- Review Lychee application logs for failed or unusual photo import attempts
Monitoring Recommendations
- Enable verbose logging in Lychee to capture all URL import requests with full headers and resolved addresses
- Configure network intrusion detection systems to alert on internal IP access from web application servers
- Monitor for DNS rebinding patterns in DNS server logs—look for domains with very low TTL values
- Establish baseline network behavior for the Lychee server and alert on deviations
How to Mitigate CVE-2026-33644
Immediate Actions Required
- Upgrade Lychee to version 7.5.2 or later immediately
- If immediate upgrade is not possible, disable the photo URL import functionality temporarily
- Review server logs for any evidence of exploitation attempts
- Implement network-level restrictions to prevent the Lychee server from accessing internal services
Patch Information
The vulnerability has been patched in Lychee version 7.5.2. The fix introduces proper DNS resolution validation by adding a dns_get_record closure that resolves domain names to IP addresses before performing the IP range validation check. This ensures that even when domain names are provided, the resolved IP addresses are validated against the blocklist before any HTTP requests are made.
For patch details, see the GitHub Commit Update and the GitHub Security Advisory GHSA-5245-4p8c-jwff.
Workarounds
- Disable the external URL photo import feature if not required for operations
- Implement firewall rules to restrict outbound connections from the Lychee server to only necessary external destinations
- Deploy a web application firewall (WAF) with SSRF protection rules to filter suspicious URL patterns
- Use network segmentation to isolate the Lychee server from sensitive internal resources
# Example: Restrict outbound connections from Lychee server using iptables
# Block access to private IP ranges from the web server
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
